Von Welch (PI) Susan Sons (HUBzero Engagement Lead) Hubbub 2014 30 September 2014 trustedci.org Cybersecurity for Cyberinfrastructure… and Science!

Slides:

Advertisements

Similar presentations

The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.

Advertisements

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

SAN DIEGO SUPERCOMPUTER CENTER Emerging HIPAA and Protected Data Requirements for Research Computing at SDSC Ron Hawkins Director of Industry Relations.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

Science Gateway Security Recommendations Jim Basney Von Welch This material is based upon work supported by the.

Security Controls – What Works

Information Security Policies and Standards

Security+ Guide to Network Security Fundamentals

OPM Cybersecurity Competencies by Occupation (Technical Competencies) Information Technology Management Series Electronics Engineering.

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Is 'Designing' Cyberinfrastructure - or, Even, Defining It - Possible? Peter A. Freeman National Science Foundation January 29, 2007 The views expressed.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science Foundation.

Controls for Information Security

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Copyright © Center for Systems Security and Information Assurance Lesson Eight Security Management.

ICT School Policies 6 th November Suggested Policies for Schools Not always a requirement, but useful to cover you, your school and the students.

Whitacre College of Engineering Panel Interdisciplinary Cybersecurity Education Texas Tech University NSF-SFS Workshop on Educational Initiatives in Cybersecurity.

SEC835 Database and Web application security Information Security Architecture.

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

This material is based upon work supported by the U.S. Department of Homeland Security, Science and Technology Directorate, Office of University Programs,

Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.

TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Safeguarding OECD Information Assets Frédéric CHALLAL Head, Systems Engineering Team OECD.

April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.

Information Systems Security Operations Security Domain #9.

HUBbub 2014 The HUBzero Conference hubzero.

Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,

Chapter 2 Securing Network Server and User Workstations.

Cyberinfrastructure What is it? Russ Hobby Internet2 Joint Techs, 18 July 2007.

Slide 1 Science meets cybersecurity Trustworthy Computational Science Von Welch Director, CACR Indiana University 2015 Campus Cyberinfrastructure PI Workshop.

Features Governmental organization Critically important ICT objects Distributed infrastructure Three levels of confidentiality Dozens of subsidiary organizations.

PCI Training for PointOS Resellers PointOS Updated September 28, 2010.

Cyberinfrastructure: An investment worth making Joe Breen University of Utah Center for High Performance Computing.

Cybersecurity Challenges and Opportunities Anita Nikolich Program Director, Advanced Cyberinfrastructure October 2015.

© University of Reading Information Technology Services 23 December 2015 Information Security Policy Mike Roch - Director of IT.

The Importance of Proper Controls. 5 Network Controls Developing a secure network means developing mechanisms that reduce or eliminate the threats.

Information Security Measures Confidentiality IntegrityAccessibility Information cannot be available or disclosed to unauthorized persons, entities or.

Chapter 3 Pre-Incident Preparation Spring Incident Response & Computer Forensics.

Case Study: Applying Authentication Technologies as Part of a HIPAA Compliance Strategy.

Sicherheitsaspekte beim Betrieb von IT-Systemen Christian Leichtfried, BDE Smart Energy IBM Austria December 2011.

Information Security Office: Function, Alignment in the Organization, Goals, and Objectives Presentation to Sacramento PMO March 2011 Kevin Dickey.

All Hands Meeting 2005 BIRN-CC: Building, Maintaining and Maturing a National Information Infrastructure to Enable and Advance Biomedical Research.

Gaspar Modelo-Howard NEEScomm Cybersecurity Software Engineer Saurabh Bagchi NEEScomm Cybersecurity Officer.

This material is based upon work supported by the National Science Foundation under Grant No. DRL Any opinions, findings, conclusions or recommendations.

By: Matt Winkeler.  PCI – Payment Card Industry  DSS – Data Security Standard  PAN – Primary Account Number.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Contingency Management Indiana University of Pennsylvania John P. Draganosky.

By: Mark Reed.  Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.

iSecurity Compliance with HIPAA

XSEDE Value Added and Financial Economies

Presenter: Mohammed Jalaluddin

Risk management.

Cybersecurity - What’s Next? June 2017

Team 4 – Mack, Josh, Felicia, Kevin and Walter

Deployment Planning Services

A Science DMZ in Every Pot?

BUILDING A PRIVACY AND SECURITY PROGRAM FOR YOUR NON-PROFIT

I have many checklists: how do I get started with cyber security?

Clemson University: Jill Gemmill

IS4680 Security Auditing for Compliance

Final HIPAA Security Rule

County HIPAA Review All Rights Reserved 2002.

IS4680 Security Auditing for Compliance

Security week 1 Introductions Class website Syllabus review

This material is based upon work supported by the National Science Foundation under Grant #XXXXXX. Any opinions, findings, and conclusions or recommendations.

Presentation transcript:

Von Welch (PI) Susan Sons (HUBzero Engagement Lead) Hubbub September 2014 trustedci.org Cybersecurity for Cyberinfrastructure… and Science!

NSF Cyberinfrastructure Image credit: Alan Blatecky/NSF

NSF Cyberinfrastructure NSF CI Project PCs/Mobile HPC HTC HPSS Instruments Science Data Servers Portals Commodity Unique Satellite Links HPN Science DMZ Cloud

NSF Cyberinfrastructure NSF CI Project PCs/Mobile HPC HTC HPSS Instruments Science Data Servers Portals Commodity Unique Satellite Links HPN Science DMZ Cloud

NSF CI Project Distributed Scientific Community Multiple Universities and/or Research Orgs (IT and policies) CI, R&E, and Commercial Services CI and Open Source Software R&E Networks … Services, Risks, Policies Requirements, Risks Science!

So, what is cybersecurity for NSF science?

Cybersecurity Historically: Technology Firewalls, IDS, encryption, logs, passwords, etc.

Cybersecurity Contemporarily Cybersecurity supports an organization’s mission by managing risks to information assets.

Translating to NSF projects... Cybersecurity manages risks to the performance and integrity of computational science.

Risks...

Center for Trustworthy Cyberinfrastructure The goal of CTSC is to provide the NSF community with a coherent understanding of cybersecurity, it’s importance to computational science, and the resources to achieve and maintain an appropriate cybersecurity program.

CTSC Activities Engagements LIGO, SciGAP, IceCube, Pegasus, CC-NIE peer review, DKIST, LTERNO, DataONE, SEAD, CyberGIS, HUBzero, Globus…. Education, Outreach and Training Guide to Developing Cybersecurity Programs for NSF Science and Engineering Projects, Securing Commodity IT in Scientific CI Projects Baseline Controls and Best Practices, Training for CI professionals. Leadership Organized 2013, 2014 & 2015 Cybersecurity Summits for Large Facilities and CI, Incident response, IdM Best Practices.

CTSC and HUBzero Engagement

HUBzero and cybersecurity Used by 60+ communities, some with 10s or 100s of thousands of users. Export control (ITAR) and HIPAA compliance requirements. HUBzero approached CTSC to assess and improve their cybersecurity.

HUBzero/CTSC “Cybercheckup” Initial week-long “cybercheckup” of existing HUBzero cybersecurity program. Finding was a mature, robust cybersecurity program. Identified places for improvement and further review: better documented physical security, use of two-factor authentication, access control, disaster/incident response plan, and vulnerability scan handling.

In-depth Review ●Web Server Security Model Covers security measures--both technological and procedural--implemented by the HUBzero operations team. ●Disaster Recovery Plan Covers operational safeguards that ensure resiliency in case of a major failure, such as a hub hardware failure, and procedures for doing recovery operations.

New Initiatives: Formalizing Procedures ●CMS Security Model Codifies the design of access control and other security features of HUBzero’s CMS software for program longevity and so that they can be reviewed and improved upon. ●Vulnerability Management Formalizing the procedures for managing vulnerabilities discovered both in the CMS software and in HUBzero’s operations environment.

Guide to Developing Cybersecurity Programs for NSF Science and Engineering Projects Basis for CTSC evaluation. Will be extended with vulnerability management as part of HUBzero engagement.

Thank You We thank the National Science Foundation (grant ) for supporting our work. The views and conclusions contained herein are those of the author and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of the NSF.